Splunk Search

Regex for Sudo.log extractions

New Member

Hello folks, I am having a difficult time extracting fields properly from the sudo.log file on several of our servers. Three examples of the data events are as follows:

Jun 7 16:51:05 : si : HOST=dsssplunk101 : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/si/billingdata/jianfang ; USER=root ; COMMAND=/usr/bin/sudosh sghosh

Jun 7 09:17:08 : srivas : HOST=dssbackup101 : command not allowed ; TTY=pts/4 ; PWD=/opt/SIDBBackup/cron ; USER=root ; COMMAND=/bin/su -

Jun 10 10:45:52 : balt : HOST=dssbackup101 : TTY=pts/1 ; PWD=/users/balt ; USER=root ; COMMAND=/usr/bin/sudosh

Jun 15 09:37:23 : srivas : HOST=dsssplunk101 : user NOT in sudoers ; TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/sudosh

I want to be able to extract the error field as its own entity like to following:

user NOT in sudoers
command not allowed
1 incorrect password attempt

However the closest I have gotten is as follows:


which extracts

user NOT in sudoers
command not allowed

but does not extract

1 incorrect password attempt

When I use the built in Ai to create the extraction it always grabs the TTY=pts/* field and will not let me exclude it.

Any help would be greatly appreciated.

Tags (2)
0 Karma

New Member

We found out what the issue with the regex statement was and were able to correct the issue. The issue is that the sudo.log file syntax shows up as having a return character at the end of the lines after they reach a certain length. We fixed this with the following:


0 Karma

Super Champion

Hmm. I tried your regex in a regex tool and it seems like your regex is actually working. Now it could be that there is some whitespace change when you posted your example, so perhaps you could try the following (slightly modified) regex. You can test your extractions interactively using using the rex search command:

source=*sudo.log | rex "(?i)^[^=]*=\w+\s+:\s*(?P<message>.+?)\s*;\s*TTY="

Once your get your regex working with rex you can add it to tie it to a source/sourcetype within one of your local props.conf files:

EXTRACT-sudo-message = (?i)^[^=]*=\w+\s+:\s*(?P<message>.+?)\s*;\s*TTY=

Instead of using [syslog] you could also make it based on the filename ("source") as well. Simply change the stanza name to [source::.../sudo.log], for example.

Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...